This week we saw two more incarnations of the mass mailing worm, Mimail. W/32.Mimail.L, and W32/Mimail.M are similar in structure, infection and removal. They have a low to medium damage potential, and are spreading fairly rapidly. The viruses attack through rather explicit pornographic messages, and attachments that purport to offer photos but actually include the virus. We will leave out the explicit parts in our description below, but you can see the full text at Sophos or Trend Micro's site . Sophos reports that Mimail.L has an alternate message that is sent without an attachment by an infected machine where the mass-mailing has failed. The alternate message attempts to scare victims with a claim that it is charging their credit card for child pornography.

Minmail's attachment has been reported by several antivirus companies as a compressed zip file containing an executable like previous versions of Mimial, or just the executable file. The e-mails come with one of several subject lines, Re[3] (followed by 44 blank characters and some random text), Re[2]We are going to bill your credit card:, or just Re[3].

When Mimail runs, it drops a copy of itself into the Windows folder (normally C:\Windows for XP/ME/98/95 or C:\Winnt for Windows NT/2000). It then creates registry key value to guarantee it runs when you reboot.

Action

W32/Mimail.L-mm

W32/Mimail.M-mm

Executable File

svchost.exe

netmon.exe

Registry value

France = %windir%\svchost.exe

Netmon = %windir%\netmon.exe

Registry Key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Address harvest file

XU298DA.tmp

xjwu2.tmp

DOS targets

www.authorizenet.com

disney.go.com

www.spamcop.net

www.carderplanet.net

www.cardcops.com

www.register.com

www.spews.org

www.spamhaus.org

darkprofits.ws

www.darkprofits.ws

darkprofits.cc

www.darkprofits.cc

darkprofits.net

www.darkprofits.net

darkprofits.com

www.darkprofits.com

Once running, Mimail will scan your hard drive to harvest e-mail addresses from text, database, and e-mail files, and store them in a .TMP file in the Windows folder. During installation, Mimail also stores copies of itself in the Windows folder, but the copies are normally deleted when the virus is finished infecting the machine.

Similar to earlier strains of Mimail, this latest version uses its own SMTP engine to send copies of itself with the original message below. The virus checks to see if the victim has a good Internet connection, and sends messages using the harvested addresses. Trendmicro reports, though, that W32/Mimail.L fails to start its mass mailing routine due to a bug in its code.

Mimail will also attempt a denial of service attack against a hard coded list of web sites. The list differs between versions, but the attacks are similar. According to Symantec's descriptions, both versions of Mimial will attempt to start 15 threads of attack at any moment against a randomly picked site, using TCP or ICMP protocol. After each thread attack, the virus sleeps for 5 seconds before trying again. The attack packets (part of the message) are filled with random data. Symantec also reports that both also capture user data and send it to predetermined e-mail addresses.

Body of e-mail:
Editor's Note: The following messages, while edited for
content, remain highly offensive. Read at your own risk.

"Hi Greg its Wendy.
I was shocked, when I found out that it wasn't you but
your twin brother!!! That's amazing, you're as like as two
peas. No one in bed is better than you Greg. I remember,
I remember everything very well, that promised you to
tell how it was, I'll give you a call today after 9.
((-- expletives deleted  ed))
I'h,'m so thankful to you, for acquainted me to your brother.
I think we can do it on the next Saturday all three together?
What do you think? O yes, as you wanted I've made a few
pictures check them out in archive, I hope they will
excite you, and you will dream of our new meeting...
Wendy. "

Alternate Body of e-mail (Mimail.L):

"Good afternoon, We are going to bill your credit card for
amount of $22.95 on a weekly basis. Free pack of child porn CDs
is already on the way to your billing address. If you want to
cancel membership and your CD pack please email order and
credit card details to security@europe.spamhaus.org
Are you ready for all types of underage porn?
We have the best selection for every taste!
Just click the secret links below and have fun:
http://www.spamhaus.org
http://www.spews.org
http://www.register.com
http://www.cardcops.com
http://www.carderplanet.net
http://www.spamcop.net
http://disney.go.com
http://www.authorizenet.com/
Nude boys under 16! Nude girls under 16! Incest, a daddy & a
daughter! We have everything you have ever dreamed for!"

Removal of W32/Mimail.L-mm and W32/Mimail.M-mm is fairly straight forward. The best way is to use an updated version of antivirus software. Since both versions share characteristics of earlier strains, most if not all AV companies have detection and disinfection. You can use removal tools from Symantec, McAfee's Stinger, or Trend HouseCall.
Users can manually remove Mimail using the following procedure.

Windows XP/ME users should turn off system restore. You'll find more information for Windows XP here and for Windows ME here.

Windows NT/2000/XP users should open the task manager, and terminate the process svchost.exe (Mimail.L) or netmon.exe (Mimail.M). Press ALT+CTRL+DEL to bring up task manager, click on the process tab and scroll down until you see the process above.
Windows 9x/ME users can reboot into Safe Mode ( hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode).

Delete the harvested address file, and executable file from your WINDOWS directory (typically c:\windows or c:\winnt) as listed in the table above.

Back up the registry. Go to start/run and type in Regedit and press enter. Once in the registry, select "Export" from the file menu. When the export dialog appears, click on ALL for the export range at the bottom of the screen. Type in a name and click Save to save a copy of the registry. To later restore the registry in case of a problem, you just need to double click on the file name.

Edit the registry by finding the registry key and delete the value listed in the table above.

Once finished, reboot and run your antivirus to find any other infected files. Both versions of Mimail create temporary copies of themselves, which may or may not be deleted during the initial infection.